News and Insights
Visit regularly for up-to-date information on relevant news, firm announcements and additions to our AZ Health Law Blog.
by Emily D. Armstrong
Are you or providers sending patient information via text? Are you or providers communicating about patients via text? If the answer to either of these questions is “yes,” beware this could result in fines and legal violations.
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a Federal law that addresses, in part, the security and privacy of health data. The law requires the Department of Health and Human Services (“HHS”) to establish rules for the handling of protected health information (“PHI”).
 42 U.S.C. § 1320d et seq.
On August 14, 2013, the Office for Civil Rights (“OCR”) settled violations of HIPAA with Affinity Health Plan, Inc., for over $1.2 million. The settlement arose out of a breach report submitted by Affinity in which it acknowledged that information relating to possibly 344,579 individuals may have been improperly disclosed.
The improper disclosure was revealed s part of an investigative news report in which CBS Evening News purchased a photocopier previously leased by Affinity. CBS reported to Affinity that the hard drive of the copier contained protected health information (“PHI”). After investigating the breach, Affinity reported the breach to OCR. OCR’s investigation concluded that Affinity impermissibly disclosed the PHI by returning the leased copiers without erasing the data on the hard drives. In addition to the monetary settlement, Affinity was required to enter into a corrective action plan under which Affinity must use its best efforts to retrieve all hard drives that were contained on copiers previously leased by Affinity and take measures to safeguard any electronic PHI.
The issue of mobile devices and electronic protected health information (“ePHI”) has become an area of primary concern as health care providers increasingly use mobile devices to communicate with patients or other providers. The Office of the National Coordinator for Health Information Technology, the agency that spearheads the promotion of health information technology, and the Office for Civil Rights, the agency that enforces HIPAA, have taken steps to address this concern.
As the result of a roundtable discussion and public demand, the agencies have developed an educational initiative in accordance with HIPAA’s Privacy and Security Rules. The initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, offers health care providers and organizations tips on ways to protect their patients’ protected information on laptops, tablets, and smart phones.
The initiative seeks to educate providers on the risks associated with using mobile devices in the office setting, and offers tips to reduce the possibility of improper use or disclosure of the information on the devices, including using encryption software, firewalls, and password protection. The initiative was developed with HIPAA requirements in mind, but it does not guarantee compliance with HIPAA. HIPAA requires providers to assess their security and privacy risks and to develop and implement policies and procedures specific to the use of mobile devices in the office setting.
For more information on this initiative, visit www.HealthIT.gov/mobiledevices
The government has published regulations that make sweeping changes to HIPAA. The regulations implement requirements of the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act of 2008.
The final rule implements the following changes:
- Business associates are directly liable for certain aspects of compliance with HIPAA.
- Disclosures of protected health information (“PHI”) for marketing and fundraising purposes are limited.
- The authorization process for patients being enrolled in research studies is refined.
- Requirements for notifying patients and the government in the event of a breach of unsecured PHI are clarified.
- The penalty structure for violating HIPAA is revised.
- Genetic information may not be used or disclosed by health plans for underwriting purposes.
Further changes to the HIPAA Privacy and Security Rules enable patients to exercise greater control over their information, and how it is used and disclosed. For example, Individuals may instruct their providers not to disclose treatment information to health plans if the individual has paid cash for the treatment, and patients will now be able to request their PHI to be provided to them in electronic form.
The official version of “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Act; Other Modifications to the HIPAA Rules,” will be published in the Federal Register on January 25, 2013.
The Office for Civil Rights entered into a $50,000 settlement with Hospice of North Idaho (“HONI”) relating to violations of HIPAA. This settlement, which stemmed from a breach of electronic protected health information (ePHI), has resulted in the first settlement for a violation involving fewer than 500 patients.
The HITECH amendments created an obligation that practices must report certain breaches of “unsecured protected health information” to the government. For breaches involving fewer than 500 individuals, the practice may report the violations in an annual report.
The investigation into HONI stemmed from a breach report submitted by HONI following the theft of a laptop computer that contained ePHI of 441 patients. During the investigation, the OCR found that HONI had no policies or procedures for protecting ePHI on mobile devices as required by HIPAA, nor had HONI conducted a risk analysis to safeguard this information. The OCR stated that “[t]his action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”
Practices should ensure their policies and procedures are current and adapted to the practice’s methods of communicating about patients.
For more information, visit HHS’s Press Release.